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Q Overall Classification 


This briefing is classified 
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(U)Whatis ТОК? 


(U) “The Onion Router” 


(U) Enables anonymous internet activity 
General privacy 
Non-attribution 
Circumvention of nation state internet policies 


(U) Hundreds of thousands of users 


Dissidents (Iran, China, etc) 
SENNA 


| TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL | | 


(U) What is TOR? 


OCONUS 
INTERNET Internet Site 


lient Browsing 
The Web 

w/ TOR client 
Installed 


TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 


(U)What is TOR? 


Client OCONUS 
Browsing Internet Site 


The Web 
‘TOR client — 


Installed 
в 


Ө U WhatisTOR? ^d 


" (U) TOR Browser Bundle 
Portable Firefox 10 ESR (tbb-firefox.exe) 
Vidalia 
Polipo 
TorButton 
TOR 


"Idiot-proof" 


Ө s/swREbTheroRProbemn (@ 
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32-bit Windows 7 
Firefox/10.0 


32-bit Windows 7 


Firefox/10.0 


32-bit Windows 7 
Firefox/10.0 


32-bit Windows 7 
Firefox/10.0 
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(TS//SI//REL) BuildID gives a timestamp for 
when the Firefox release was built 


20121024073032 


(TS//SI//REL) tbb-firefox’ s BuildID: 


Ө 
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" (TS//SI//REL) TorButton cares about TOR 
users being indistinguishable from TOR users 


s" (TS//SI//REL) We only care about TOR users 
versus non-TOR users 


= (TS//SI//REL) Thanks to TorButton, it s easy! 
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СЭ (TS//SI//REL) Exploiting TOR 


= (TS//SI//REL) tbb-firefox is barebones 
o Flash is a no-no 
o NoScript addon pre-installed... 
...but not enabled by default! 


s TOR explicitly advises against using any addons or 
extensions other than TorButton and NoScript 


" (TS//SI//REL) Need a native Firefox exploit 


СЭ (TS//SI//REL) Exploiting TOR 


s (TS//SI//REL) ERRONEOUSINGENUITY 
2 Commonly known as ERIN 
o First native Firefox exploit in a long time 
s Only works against 13.0-16.0.2 
" (TS//SI//REL) EGOTISTICALGOAT 
2 Commonly known as EGGO 
a Configured for 11.0-16.0.2... 


...but the vulnerability also exists in 10.0! 


Ө (U)EGOTISTICALGOAT (d 


s" (TS//SI//REL) Type confusion vulnerability in 
EAX 

" (TS//SI//REL) Enables arbitrary read/write 
access to the process memory 

" (TS//SI//REL) Remote code execution via the 
CTypes module 
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s (TS//SI//REL) Can't distinguish OS until on box 
s That's okay 

" (TS//SI//REL) Can't distinguish Firefox version 
until on box 
s That's also okay 
(TS//SI//REL) Can't distinguish 64-bit from 32- 
bit until on box 
- | think you see where this is going 
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s (TS//SI//REL) Tests on Firefox 10 ESR worked 
s" (TS//SI//REL) Tests on tbb-firefox did not 

° Gained execution 

o Didn't receive FINKDIFFERENT 
s" (TS//SI//REL) Defeated by Prefilter Hash! 

з Requests EGGI: Hash(tor exit ip || session id) 

з Requests FIDI: Hash(target ip || session id) 
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" (TS//SI//REL) Easy fix 
2 Turn off prefilter hashing 
s FUNNELOUT 


s (TS//SI//REL) OPSEC Concerns 
з Pre-play attacks 
"ROSES 
* Adversarial Actors 
- Targets worth it? 
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